<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning





--On Dienstag, 15. März 2005 08:34 -0800 bipin gautam <visitbipin@xxxxxxxxx> wrote:

I STIL FIND IT happy to
see there are lot of AV out there that cant scan such
file properly to detect virus.

The problem must be located in the unzip engine:

We've created a mixed ZIP now:

# unzip -l mixed-eicar.zip
Archive:  mixed-eicar.zip
 Length     Date   Time    Name
--------    ----   ----    ----
308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt
     308  03-10-05 12:00   eicarcom2.zip
--------                   -------
     616                   2 files


BTW: note here that "unzip" displays the escape sequences very proper!

Available here:
<ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed-eicar.zip>

Some AV software detect the virus only in second part of the ZIP file, so it looks like the first one is really skipped and not analysed.

        Peter
--
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Strasse 1                          Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@xxxxxxxxxx
Germany                                Internet: http://www.aerasec.de